Merge pull request #192 from Yamato-Security/188-extract-credentials

feat: add `extract-credentials` command

Author: YamatoSecurity

CHANGELOG-Japanese.md

@@ -2,6 +2,10 @@
 
 ## 2.7.0 [2024/10/21] SecTor Release
 
+**新機能:**
+
+- `extract-credentials`コマンド: セキュリティ4688とSysmon 1イベントのコマンドライン情報から平文の認証情報を取り出す。例: `wmic`、`schtasks`、`net user`、`psexec`の使用。 (#192) (@fukusuket)
+
 **改善:**
 
 - HTMLレポートのRule SummaryページのTotal DetectionsとUnique Detectionsの検出サマリが1つの表に統合された。(#182) (@nishikawaakira)

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## 2.7.0 [2024/10/21] SecTor Release
 
+**New Features:**
+
+`extract-credentials` command: extract out plaintext credentials from the command line information in Security 4688 and Sysmon 1 events. Ex: `wmic`, `schtasks`, `net user`, `psexec` usage. (#192) (@fukusuket)
+
 **Enhancements:**
 
 - Detection summary for Total Detections and Unique Detections in the Rule Summary page of the HTML report has been consolidated into one table. (#182) (@nishikawaakira)

src/takajo.nim

@@ -26,6 +26,7 @@ import takajopkg/takajoCore
 import takajopkg/takajoTerminal
 import takajopkg/ttpResult
 import takajopkg/vtResult
+include takajopkg/extractCredentials
 include takajopkg/extractScriptblocks
 include takajopkg/listDomains
 include takajopkg/listIpAddresses
@@ -62,7 +63,8 @@ when isMainModule:
     clCfg.version = "2.7.0"
     const examples = "Examples:\p"
     const example_automagic = "  automagic -t ../hayabusa/timeline.jsonl [--level low] [--displayTable] -o case-1\p"
-    const example_extract_scriptblocks = "  extract-scriptblocks -t ../hayabusa/timeline.jsonl [--level low] -o scriptblock-logs\p"
+    const example_extract_credentials = "  extract-credentials -t ../hayabusa/timeline.jsonl [--skipProgressBar] -o credentials.csv\p"
+    const example_extract_scriptblocks = "  extract-scriptblocks -t ../hayabusa/timeline.jsonl [--level low]  [--skipProgressBar] -o scriptblock-logs\p"
     const example_list_domains = "  list-domains -t ../hayabusa/timeline.jsonl [--skipProgressBar] -o domains.txt\p"
     const example_list_hashes = "  list-hashes -t ../hayabusa/case-1.jsonl [--skipProgressBar] -o case-1\p"
     const example_list_ip_addresses = "  list-ip-addresses -t ../hayabusa/timeline.jsonl [--skipProgressBar] -o ipAddresses.txt\p"
@@ -95,7 +97,7 @@ when isMainModule:
     clCfg.useMulti = "Version: 2.7.0 Dev Build\pUsage: takajo.exe <COMMAND>\p\pCommands:\p$subcmds\pCommand help: $command help <COMMAND>\p\p" &
         examples &
         example_automagic &
-        example_extract_scriptblocks & example_html_report &
+        example_extract_credentials & example_extract_scriptblocks & example_html_report &
         example_list_domains & example_list_hashes & example_list_ip_addresses & example_list_undetected_evtx & example_list_unused_rules &
         example_split_csv_timeline & example_split_json_timeline &
         example_stack_cmdlines & example_stack_computers & example_stack_dns & example_stack_ip_addresses & example_stack_logons & example_stack_processes & example_stack_services & example_stack_tasks & example_stack_users &
@@ -119,6 +121,16 @@ when isMainModule:
                 "timeline": "Hayabusa JSONL timeline file or directory (profile: any)",
             }
         ],
+        [
+            extractCredentials, cmdName = "extract-credentials",
+            doc = "extract plaintext credentials from the command-line auditing",
+            help = {
+                "output": "save results to a csv file",
+                "quiet": "do not display the launch banner (default: false)",
+                "skipProgressBar": "do not display the progress bar (default: false)",
+                "timeline": "Hayabusa JSONL timeline file or directory (profile: any)",
+            }
+        ],
         [
             extractScriptblocks, cmdName = "extract-scriptblocks",
             doc = "extract and reassemble PowerShell EID 4104 script block logs",

src/takajopkg/extractCredentials.nim

@@ -0,0 +1,108 @@
+const ExtractCredentialsMsg =
+  """This command extracts plaintext credentials from command-lines in Sysmon 1 and Security 4688 event logs."""
+
+type
+  ExtractCredentialsCmd* = ref object of AbstractCmd
+    seqOfResultsTables*: seq[Table[string, string]]
+
+method filter*(self: ExtractCredentialsCmd, x: HayabusaJson): bool =
+  let eidMatched = (x.EventID == 1 and x.Channel == "Sysmon") or (x.EventID == 4688 and x.Channel == "Sec")
+  if not eidMatched:
+    return false
+  let cmdline = x.Details["Cmdline"].getStr().toLower()
+  let commands = ["net user", "schtasks", "wmic", "psexec"]
+  let cmdMatched = any(commands, proc(x: string): bool = x in cmdline)
+  if "net user" in cmdline:
+    return true # net user does not have password parameter
+  let passwordPram = ["-p", "-password", "-passwd", "–password", "–passwd", "/p", "/password", "/passwd"]
+  let passwordMatched = any(passwordPram, proc(x: string): bool = x in cmdline)
+  return cmdMatched and passwordMatched
+
+proc extractUserPass(cmd: string): (string, string) =
+    let patterns = [
+      (re(r".*/user:([^\s/]+).*"), re(r".*/password:([^\s/]+).*")),  # for wmic
+      (re(r".*/U ([^\s/]+).*"), re(r".*/P ([^\s/]+).*")),  # for schtasks
+      (re(r".*net user ([^\s/]+)"), re(r".*?([^\s/]+) /add.*")),  # for net user
+      (re(r".*-u ([^\s/]+).*"), re(r".*-p ([^\s/]+).*"))  # for psexec
+    ]
+
+    for (userPattern, passwordPattern) in patterns:
+      var username = ""
+      var password = ""
+
+      if cmd =~ userPattern:
+        username = matches[0]
+
+      if cmd =~ passwordPattern:
+        password = matches[0]
+
+      if username != "" and password != "":
+        return (username, password)
+
+    return ("", "")
+
+method analyze*(self: ExtractCredentialsCmd, x: HayabusaJson) =
+  var singleResultTable = initTable[string, string]()
+  singleResultTable["Timestamp"] = x.Timestamp
+  singleResultTable["Computer"] = x.Computer
+  singleResultTable["Event"] = x.Channel & "-" & $(x.EventID)
+  let cmd = x.Details["Cmdline"].getStr()
+  let (user, pass) = extractUserPass(cmd)
+  if user == "" and pass == "":
+    return # skip if no user or password found
+  singleResultTable["User"] = user
+  singleResultTable["Password"] = pass
+  singleResultTable["Cmdline"] = cmd
+  self.seqOfResultsTables.add(singleResultTable)
+
+method resultOutput*(self: ExtractCredentialsCmd) =
+  var savedFiles = "n/a"
+  var results = "n/a"
+  let header = ["Timestamp", "Computer", "Event", "User", "Password", "Cmdline"]
+  if self.output != "":
+    # Open file to save results
+    var outputFile = open(self.output, fmWrite)
+
+    ## Write CSV header
+    outputFile.write(header.join(",") & "\p")
+
+    ## Write contents
+    for table in self.seqOfResultsTables:
+      for i, key in enumerate(header):
+        if table.hasKey(key):
+          if i < header.len() - 1:
+            outputFile.write(escapeCsvField(table[key]) & ",")
+          else:
+            outputFile.write(escapeCsvField(table[key]))
+        else:
+          outputFile.write(",")
+      outputFile.write("\p")
+    outputFile.close()
+    let fileSize = getFileSize(self.output)
+    savedFiles = self.output & " (" & formatFileSize(fileSize) & ")"
+    results = "Events: " & intToStr(self.seqOfResultsTables.len).insertSep(',')
+    if self.displayTable:
+      echo ""
+      echo "Saved results to " & savedFiles
+  else:
+    var table: TerminalTable
+    table.add header
+    for t in self.seqOfResultsTables:
+      table.add t[header[0]], t[header[1]], t[header[2]], t[header[3]], t[header[4]], t[header[5]]
+    if self.displayTable:
+      echo ""
+      table.echoTableSepsWithStyled(seps = boxSeps)
+      echo ""
+  self.cmdResult = CmdResult(results: results, savedFiles: savedFiles)
+
+proc extractCredentials(output: string = "", quiet: bool = false, skipProgressBar: bool = false, timeline: string) =
+  checkArgs(quiet, timeline, "informational")
+  var filePaths = getTargetExtFileLists(timeline, ".jsonl", true)
+  for timelinePath in filePaths:
+    let cmd = ExtractCredentialsCmd(
+                timeline: timelinePath,
+                skipProgressBar: skipProgressBar,
+                output: output,
+                name: "extract-credentials",
+                msg: ExtractCredentialsMsg)
+    cmd.analyzeJSONLFile()

src/takajopkg/takajoCore.nim

@@ -61,7 +61,8 @@ proc analyzeJSONLFile*(self: AbstractCmd, cmds: seq[AbstractCmd] = newSeq[
         try:
           if cmd.filter(jsonLine):
             cmd.analyze(jsonLine)
-        except CatchableError:
+        except CatchableError as e:
+          echo "An error occurred: ", e.msg
           continue
 
   if not self.skipProgressBar:
@@ -81,4 +82,4 @@ proc analyzeJSONLFile*(self: AbstractCmd, cmds: seq[AbstractCmd] = newSeq[
     echo ""
     table.echoTableSepsWithStyled(seps = boxSeps)
 
-  outputElapsedTime(startTime)
+  outputElapsedTime(startTime)